Revoking consent and deleting data

📘

Please note, revoking a customer’s consent will not delete their data, it will only stop the account being accessed going forward and the data being refreshed with up to date transactions. You will still be able to view historical transactions. If you wish to delete data please scroll down to Deleting a customer's data

When a customer connects their account via Open Banking they’re also creating a consent with their provider that they can choose to revoke at any time. In this guide, we’ll provide you with the steps that you need to take in order to revoke a customer’s consent with Bud, verify that consent has been revoked, and delete a customer.

Before starting you’ll need:

  • to have created Customers - for further details on how to do this, please refer to this guide; and
  • to have setup Connect - for further details on how to do this, please refer to this guide if you plan to use Bud Connect, or this guide, if you’re registered as an AISP and will be using your own customer interface; and
  • a valid OAuth access token - for further details on how to authenticate to Bud’s APIs please see this guide; and
  • a valid customer_id and customer_secret associated with your ‘Project’ (API Credentials). For further details on how to register a customer, please refer to this guide.

Revoking a customer's consent

There may be times when a customer no longer requires the use of your service and therefore wants to revoke their consent. When a customer has told you that they want to revoke their consent you must notify Bud of this so that the consent with the provider can be revoked. Consents can be revoked by using the POST /v1/open-banking/account-access-consent/revoke endpoint (here). By specifying your Client-id, Customer-id, and provider you can revoke all consents between your customer and the provider. An example request can be found in the endpoint documentation.

📘

Please note, consents are created on a provider level instead of an account level which means that if a customer revokes their consent and they have multiple accounts connected, all accounts for that provider are revoked.

This is due to a limitation in the Open Banking Implementation Entity (OBIE) ecosystem that doesn’t allow the accounts connected to a consent to be altered once the consent has been created.

An example of a successful response can be seen below.

{
  "operation_id": "open_banking_account_access_consent_revoke_post",
  "data": {
    "task_id": "1ceb1d81-a80e-4825-a7c0-4d69424c9874"
  }
}

If you receive a 400 response your request has failed validation on the headers and you will need to check your request. If you receive a 401 it means that your BearerToken has failed authentication.

In the case that you receive a 500 response please retry your request and if the problem persists please raise a support request.

Checking the status of a revoke task

In a 200 response from the /v1/open-banking/account-access-consent/revoke endpoint (like example above) you will receive a task_id. You can use the task_id returned in the response to check the status of the revoke task by using the GET /v1/open-banking/account-access-consent/revoke/{task_id} endpoint (here).

An example of a successful response can be seen below.

{
  "operation_id": "open_banking_account_access_consent_revoke_get",
  "metadata": {
    "status": "Completed"
  }
}

The status will be one of three values, Completed, Pending and Failed. If the status is Completed then the consent has been successfully revoked. Pending means that it is in progress and you should poll this endpoint until the status updates, if the status is Failed you will need to submit the request again to the POST /v1/open-banking/account-access-consent/revoke.

Deleting a customer's data

If you would like to delete a customer’s data for a provider you can use the DELETE v1/provider/{provider} endpoint (here). By hitting this endpoint Bud will first revoke the customers consent before deleting the customer’s data for the specified provider.

In requests to this endpoint, you will need to specify the provider, Client-id, Customer-id and Customer-Secret. If the request has been successful you will receive a 204 response. If you receive a 400 response your request has failed validation on the headers or parameters and you will need to check your request. If you receive a 401 it means that your BearerToken has failed authentication.

In the case that you receive a 500 response please retry your request and if the problem persists please raise a support request.





If you have any questions, please contact us via the chatbot (bottom-right of screen 👉) or via a support request or check our FAQs.